Thursday, March 31, 2011

I just performed cross-forest migration of a number of mailboxes. Mailboxes come across as "linked" mailboxes linking to the account in the source forest. To link the mailboxes to the new user account in the destination forest I used the Disable-Mailbox command to unlink the mailbox from the old account followed by the Connect-Mailbox to link the mailbox to the new user account in the destination forest. Users who had been migrated across to the new forest had problems accessing "Options" in Outlook Web App.

Sorry! Access denied

You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again. If the problem persists, contact your administrator.

I went and created a new mailbox user in the destination forest which I did not migrate. This worked fine. I went and compared attributes between my "test" mailbox account and "jim's" mailbox account.

There were a couple of differences. Jim's mailbox did not have a Role Assignment Policy. The RoleAssignmentPolicy parameter specifies the management role assignment policy to assign to the mailbox when it's created or enabled. If you don't include this parameter when you create or enable a mailbox, the default assignment policy is used. All mailboxes must have at least the default policy! I set the default policy as follows on Jims account

Wednesday, March 30, 2011

After a windows 7 PC was migrated to the new forest the user account and his mailbox, Outlook 2010 continued to reference the old Exchange 2003 servers which were failing to refer the user to the new Exchange 2010 servers in the new forest.

Sunday, March 27, 2011

I was performing an Active Directory Migration from a Windows Server 2008 DFL/FFL forest with Exchange 2003 to a Windows Server 2008 R2 DFL/FFL forest with Exchange 2010. During the migration I got the following error:

This is due to the difference of the schema versions, some attributes are not migrated to target domain.

The system attribute exclusion list contains two attributes by default: mail and proxyAddresses. ADMT also reads the schema in the target domain. If the target domain schema is further extended, it adds any attributes to the list that are not part of the base schema. Attributes in this list are excluded from migration operations even if the attribute is not specified in the attribute exclusion list.

For more information about this see the article below "Migrating and Restructuring Active Directory Domains Using ADMT v3.1"

Many firewalls on the market support the concept of SSL Bridging and SSL Tunneling. Microsoft firewalls that support this functionality include:- Internet Security and Acceleration (ISA)- Forefront Threat Management Gateway (TMG)

What is the difference between SSL Bridging and SSL Tunneling?

SSL Bridging involves decrypting the traffic on the firewall, inspecting the HTML code and filtering it for malware and any content policies that may be applied. The traffic is then re-encrypted usually using a different certificate provided by an Internal Certificate Authority and passing it onto the end client.

SSL Tunneling involves relaying the traffic unmodified still encrypted with the digital certificate to the end client. No filtering can be applied when a router is configured with SSL Tunneling.

Some companies may not wish to have SSL Bridging configured. When dealing with sensitive traffic such as online banking, I for one would be very concerned if I saw the SSL traffic coming to me with a certificate from an Internal Certificate Authority!

Thursday, March 24, 2011

In a scenario where the first datacenter contains two DAG members and the witness server, and the second datacenter contains two other DAG members. If the first datacenter loses power and you activate the DAG in the second datacenter (for example, by activating the alternate file share witness in the second datacenter), if the first datacenter is restored without network connectivity to the second datacenter, the DAG may enter a split brain syndrome.

Datacenter Activation Coordination (DAC) mode prevents split brain syndrome from occurring by including a protocol called Datacenter Activation Coordination Protocol (DACP). After a catastrophic failure, when the DAG recovers, it won't automatically mount databases even though the DAG has a quorum. Instead DACP is used to determine the current state of the DAG and whether Active Manager should attempt to mount the databases.

Datacenter Activation Coordination (DAC) mode is disabled by default.

Datacenter Activation Coordination (DAC) mode is disabled by default.DACP was created to address this issue. Active Manager stores a bit in memory (either a 0 or a 1) that tells the DAG whether it's allowed to mount local databases that are assigned as active on the server. When a DAG is running in DAC mode (which would be any DAG with three or more members), each time Active Manager starts up the bit is set to 0, meaning it isn't allowed to mount databases. Because it's in DAC mode, the server must try to communicate with all other members of the DAG that it knows to get another DAG member to give it an answer as to whether it can mount local databases that are assigned as active to it. The answer comes in the form of the bit setting for other Active Managers in the DAG. If another server responds that its bit is set to 1, it means servers are allowed to mount databases, so the server starting up sets its bit to 1 and mounts its databases.

But when you recover from a primary datacenter power outage where the servers are recovered but WAN connectivity has not been restored, all of the DAG members in the primary datacenter will have a DACP bit value of 0; and therefore none of the servers starting back up in the recovered primary datacenter will mount databases, because none of them can communicate with a DAG member that has a DACP bit value of 1.

Monday, March 7, 2011

As I'm a Microsoft Engineer I always put Microsoft products first. I use Internet Explorer 8.0 on my desktop PC and high performance laptops.

Being a IT geek I have a number of computers I use for different purposes. I purchased a Asus Eee PC netbook for when I'm on the go and want something light and portable (with a USB port) which rules out the iPad!

I installed Windows 7 Ultimate on the Eee PC netbook and set the windows theme to "Windows Classic" to provide best optimized performance.

Internet Explorer 8.0 ran like a dog! Performing simple tasks such as utilizing Exchange 2010 Outlook Web App and Facebook continuously hung and become unresponsive. As a result I was forced to install Google Chrome - the performance difference between IE 8.0 and Chrome was amazing!

After just getting back from the MVP summit in Seattle I was speaking with some of the Internet Explorer 9 MVP's. They mentioned that Internet Explorer 9 was completely redesigned and now provides fantastic performance - even faster then Chrome! This I had to see for myself as I found it very hard to believe them (being IE junkies).

I just installed IE 9.0 RC on my Eee PC and yes it is amazingly fast (It is performing faster then Chrome!) If you have tried IE 9.0 Beta and were unimpressed I encourage you to try RC. Between the Internet Explorer 9 Beta and Internet Explorer 9 RC releases, over 2,000 changes have been made to improve browser performance for real customer scenarios.

Internet Explorer 9 RC starts faster, loads webpages faster, and allows you to interact with web pages faster than ever before. One thing I liked is it actually timed how long it took to load each of my browser Add-on's. I was then able to disable Add-on's such as Microsoft Corporation "Search Helper" which took 0.22 seconds to load. It prompted me to do this - making this very easy for end users!

The Site loading indicator is making sense now! Was very disappointed with previous versions.

However Microsoft failed to listen to the community on some key features. Internet Explorer 9 RC is still missing a Spell Checker - ahhg. This means you need to download a third party add-on to perform this functionality. A download manager would also be an awesome addition.

Microsoft have lead the way in terms of hardware acceleration for web browsing. Check out this comparison video comparing a web app which takes advantage of graphics acceleration (Chrome vs IE9).